Apache Druid has multiple service roles (broker, coordinator, historical, middle-manager, router). Hardening requires enabling built-in authN/authZ, TLS, and secret management for extensions.
¶ 1) Enable authentication and authorization extensions
- Enable Druid security modules (
druid-basic-security, or external auth extensions).
- Configure authenticated users for API/UI access.
- Use role-based authorization per datasource and admin endpoints.
- Disable anonymous admin access to coordinator/overlord/router APIs.
¶ 2) Enforce TLS for client and internal traffic
- Enable TLS on public Router/Broker endpoints.
- Use mTLS or secured internal communications where required.
- Store keystore/truststore files with restricted permissions.
- Rotate certificates and restart in controlled windows.
¶ 3) Harden ingestion and SQL access
- Restrict ingestion specs to trusted operators.
- Limit SQL endpoints and query contexts for untrusted clients.
- Protect metadata store credentials (PostgreSQL/MySQL).
- Audit high-cost queries and unauthorized datasource access attempts.
¶ Verification commands
grep -E 'druid\.auth|druid\.authorization|druid\.tls' /opt/druid/conf/*/*.properties
sudo ss -tulpn | grep -E ':8888|:8082|:8081|:8090'
sudo journalctl -u druid* --since '24 hours ago' | grep -Ei 'auth|forbidden|unauthorized|tls'
- Apache Druid security overview: https://druid.apache.org/docs/latest/operations/security-overview/
- Apache Druid basic security: https://druid.apache.org/docs/latest/development/extensions-core/druid-basic-security/
- Apache Druid security advisories: https://druid.apache.org/security/